From 49a2e9360db289c637732a60460f3d7d47f9fb53 Mon Sep 17 00:00:00 2001 From: Jun Kimura Date: Thu, 15 May 2025 00:49:26 +0900 Subject: [PATCH] support `tcbEvaluationDataNumber` parameter for getting TCBInfo and QEIdentity Signed-off-by: Jun Kimura --- crates/pcs/src/client.rs | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/crates/pcs/src/client.rs b/crates/pcs/src/client.rs index d11e1f2..2adf0db 100644 --- a/crates/pcs/src/client.rs +++ b/crates/pcs/src/client.rs @@ -20,14 +20,14 @@ pub struct PCSClient { pcs_or_pccs_url: String, /// The URL of the Intel SGX Certificates Service. certs_service_url: String, - /// Whether to use the early update or standard update to get the TCB info. - is_early_update: bool, + /// The target TCB evaluation data number. If None, the latest TCB evaluation data will be used. + target_tcb_evaluation_data_number: Option, } impl Default for PCSClient { /// Default PCSClient uses Intel's PCS and Certificates Service URLs. fn default() -> Self { - PCSClient::new(INTEL_SGX_PCS_URL, INTEL_SGX_CERTS_URL, false) + PCSClient::new(INTEL_SGX_PCS_URL, INTEL_SGX_CERTS_URL, None) } } @@ -37,12 +37,16 @@ impl PCSClient { /// # Arguments /// * `pcs_or_pccs_url` - The URL of the Provisioning Certification Service (PCS) or Provisioning Certification Caching Service (PCCS). /// * `certs_service_url` - The URL of the Intel SGX Certificates Service. - /// * `is_early_update` - Whether to use the early update policy. - pub fn new(pcs_or_pccs_url: &str, certs_service_url: &str, is_early_update: bool) -> Self { + /// * `target_tcb_evaluation_data_number` - The target TCB evaluation data number. If None, the latest TCB evaluation data will be used. + pub fn new( + pcs_or_pccs_url: &str, + certs_service_url: &str, + target_tcb_evaluation_data_number: Option, + ) -> Self { PCSClient { pcs_or_pccs_url: pcs_or_pccs_url.trim_end_matches('/').to_string(), certs_service_url: certs_service_url.trim_end_matches('/').to_string(), - is_early_update, + target_tcb_evaluation_data_number, } } @@ -82,13 +86,13 @@ impl PCSClient { let sgx_extensions = extract_sgx_extensions(pck_cert) .map_err(|e| anyhow!("cannot extract SGX extensions: {}", e))?; - let update_policy = self.update_policy(); + let tcb_evaludation_policy = self.tcb_evaludation_policy(); // get the TCB info of the platform let (tcb_info_json, sgx_tcb_signing_der) = { let fmspc = hex::encode_upper(sgx_extensions.fmspc); let res = http_get(format!( - "{base_url}/tcb?fmspc={fmspc}&update={update_policy}" + "{base_url}/tcb?fmspc={fmspc}&{tcb_evaludation_policy}" ))?; let issuer_chain = extract_raw_certs(get_header(&res, "TCB-Info-Issuer-Chain")?.as_bytes())?; @@ -97,7 +101,7 @@ impl PCSClient { // get the QE identity let qe_identity_json = - http_get(format!("{base_url}/qe/identity?update={update_policy}"))?.text()?; + http_get(format!("{base_url}/qe/identity?{tcb_evaludation_policy}"))?.text()?; let pck_crl_url = if is_sgx_pck_platform_ca_dn(pck_cert_issuer.subject())? { format!("{pcs_url}/sgx/certification/v4/pckcrl?ca=platform&encoding=der") @@ -179,11 +183,11 @@ impl PCSClient { }) } - fn update_policy(&self) -> &str { - if self.is_early_update { - "early" + fn tcb_evaludation_policy(&self) -> String { + if let Some(target_tcb_evaluation_data_number) = self.target_tcb_evaluation_data_number { + format!("tcbEvaluationDataNumber={target_tcb_evaluation_data_number}") } else { - "standard" + "update=early".to_string() } } }